Synopsis

Type/Severity

Topic

Red Hat Product Security has rated this update as having Moderate securityimpact. Common Vulnerability Scoring System (CVSS) base scores, which givedetailed severity ratings, are available for each vulnerability from theCVE links in the References section.

It was found that Tomcat would keep connections open after processingrequests with a large enough request body. A remote attacker couldpotentially use this flaw to exhaust the pool of available connectionsand prevent further, legitimate connections to the Tomcat server.(CVE-2014-0230)

A flaw was found in the way httpd handled HTTP Trailer headers whenprocessing requests using chunked encoding. A malicious client coulduse Trailer headers to set additional HTTP headers after headerprocessing was performed by other modules. This could, for example,lead to a bypass of header restrictions defined with mod_headers.(CVE-2013-5704)

Multiple flaws were found in the way httpd parsed HTTP requests andresponses using chunked transfer encoding. A remote attacker coulduse these flaws to create a specially crafted request, which httpdwould decode differently from an HTTP proxy software in front of it,possibly leading to HTTP request smuggling attacks. (CVE-2015-3183)